diff --git a/backport-errors-handle-malloc-failure-in-usermsgs_put.patch b/backport-errors-handle-malloc-failure-in-usermsgs_put.patch new file mode 100644 index 0000000000000000000000000000000000000000..980d68de3600708d38b8e2d49d3836b517389d8d --- /dev/null +++ b/backport-errors-handle-malloc-failure-in-usermsgs_put.patch @@ -0,0 +1,39 @@ +From d4dba38ab101eee4cbd0c8d8aa21181825ef6472 Mon Sep 17 00:00:00 2001 +From: Aurelien DARRAGON +Date: Thu, 11 May 2023 18:49:14 +0200 +Subject: [PATCH] BUG/MINOR: errors: handle malloc failure in usermsgs_put() + +usermsgs_buf.size is set without first checking if previous malloc +attempt succeeded. + +This could fool the buffer API into assuming that the buffer is +initialized, resulting in unsafe read/writes. + +Guarding usermsgs_buf.size assignment with the malloc attempt result +to make the buffer initialization safe against malloc failures. + +This partially fixes GH #2130. + +It should be backported up to 2.6. + +Conflict:NA +Reference:https://github.com/haproxy/haproxy/commit/d4dba38ab101eee4cbd0c8d8aa21181825ef6472 + +--- + src/errors.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/errors.c b/src/errors.c +index 2e9d6afb7e04..5913cb1d509d 100644 +--- a/src/errors.c ++++ b/src/errors.c +@@ -229,7 +229,8 @@ static void usermsgs_put(const struct ist *msg) + /* Allocate the buffer if not already done. */ + if (unlikely(b_is_null(&usermsgs_buf))) { + usermsgs_buf.area = malloc(USER_MESSAGES_BUFSIZE * sizeof(char)); +- usermsgs_buf.size = USER_MESSAGES_BUFSIZE; ++ if (usermsgs_buf.area) ++ usermsgs_buf.size = USER_MESSAGES_BUFSIZE; + } + + if (likely(!b_is_null(&usermsgs_buf))) { diff --git a/backport-ssl_sock-add-check-for-ha_meth.patch b/backport-ssl_sock-add-check-for-ha_meth.patch new file mode 100644 index 0000000000000000000000000000000000000000..bccdbd9dc7ae1c24757aa3ca66597d9da97e1d00 --- /dev/null +++ b/backport-ssl_sock-add-check-for-ha_meth.patch @@ -0,0 +1,43 @@ +From 15c3d20e315f1f06c9649ae598de86d61d41085b Mon Sep 17 00:00:00 2001 +From: eaglegai +Date: Fri, 26 May 2023 16:42:47 +0800 +Subject: [PATCH] BUG/MINOR: ssl_sock: add check for ha_meth + +in __ssl_sock_init, BIO_meth_new may failed and return NULL if +OPENSSL_zalloc failed. in this case, ha_meth will be NULL, and then +crash happens in BIO_meth_set_write. So, we add a check for ha_meth. + +Conflict:NA +Reference:https://github.com/haproxy/haproxy/commit/15c3d20e315f1f06c9649ae598de86d61d41085b + +--- + src/ssl_sock.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/src/ssl_sock.c b/src/ssl_sock.c +index e637b0423a9a..ff0db9d1a1c2 100644 +--- a/src/ssl_sock.c ++++ b/src/ssl_sock.c +@@ -7561,13 +7561,15 @@ static void __ssl_sock_init(void) + ERR_load_SSL_strings(); + #endif + ha_meth = BIO_meth_new(0x666, "ha methods"); +- BIO_meth_set_write(ha_meth, ha_ssl_write); +- BIO_meth_set_read(ha_meth, ha_ssl_read); +- BIO_meth_set_ctrl(ha_meth, ha_ssl_ctrl); +- BIO_meth_set_create(ha_meth, ha_ssl_new); +- BIO_meth_set_destroy(ha_meth, ha_ssl_free); +- BIO_meth_set_puts(ha_meth, ha_ssl_puts); +- BIO_meth_set_gets(ha_meth, ha_ssl_gets); ++ if (ha_meth != NULL) { ++ BIO_meth_set_write(ha_meth, ha_ssl_write); ++ BIO_meth_set_read(ha_meth, ha_ssl_read); ++ BIO_meth_set_ctrl(ha_meth, ha_ssl_ctrl); ++ BIO_meth_set_create(ha_meth, ha_ssl_new); ++ BIO_meth_set_destroy(ha_meth, ha_ssl_free); ++ BIO_meth_set_puts(ha_meth, ha_ssl_puts); ++ BIO_meth_set_gets(ha_meth, ha_ssl_gets); ++ } + + HA_SPIN_INIT(&ckch_lock); + diff --git a/backport-thread-add-a-check-for-pthread_create.patch b/backport-thread-add-a-check-for-pthread_create.patch new file mode 100644 index 0000000000000000000000000000000000000000..61cd0b40de7052781b6440b2b9a78b975d734aed --- /dev/null +++ b/backport-thread-add-a-check-for-pthread_create.patch @@ -0,0 +1,31 @@ +From ef667b1ad89bb159b1991de0ec07d17e4320df23 Mon Sep 17 00:00:00 2001 +From: eaglegai +Date: Fri, 26 May 2023 16:44:34 +0800 +Subject: [PATCH] BUG/MINOR: thread: add a check for pthread_create + +preload_libgcc_s() use pthread_create to create a thread and then call +pthread_join to use it, but it doesn't check if the option is successful. +So add a check to aviod potential crash. + +Conflict:NA +Reference:https://github.com/haproxy/haproxy/commit/ef667b1ad89bb159b1991de0ec07d17e4320df23 + +--- + src/thread.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/thread.c b/src/thread.c +index d7128252ed0e..b41b6628a4cb 100644 +--- a/src/thread.c ++++ b/src/thread.c +@@ -1066,8 +1066,8 @@ static void *dummy_thread_function(void *data) + static inline void preload_libgcc_s(void) + { + pthread_t dummy_thread; +- pthread_create(&dummy_thread, NULL, dummy_thread_function, NULL); +- pthread_join(dummy_thread, NULL); ++ if (pthread_create(&dummy_thread, NULL, dummy_thread_function, NULL) == 0) ++ pthread_join(dummy_thread, NULL); + } + + static void __thread_init(void) diff --git a/haproxy.spec b/haproxy.spec index c585a846f0e9a60fd73a01cce594d01a4aa310d2..20f6d5bb26276df423a7d73101d8e1fcfe83f758 100644 --- a/haproxy.spec +++ b/haproxy.spec @@ -5,7 +5,7 @@ Name: haproxy Version: 2.6.6 -Release: 8 +Release: 9 Summary: The Reliable, High Performance TCP/HTTP Load Balancer License: GPLv2+ @@ -31,6 +31,9 @@ Patch11: backport-BUG-MINOR-server-inherit-from-netns-in-srv_settings_. Patch12: CVE-2023-0836.patch # https://github.com/haproxy/haproxy/commit/2eab6d354322932cfec2ed54de261e4347eca9a6 Patch13: CVE-2023-45539.patch +Patch14: backport-errors-handle-malloc-failure-in-usermsgs_put.patch +Patch15: backport-ssl_sock-add-check-for-ha_meth.patch +Patch16: backport-thread-add-a-check-for-pthread_create.patch BuildRequires: gcc lua-devel pcre2-devel openssl-devel systemd-devel systemd libatomic %ifarch sw_64 @@ -135,6 +138,15 @@ exit 0 %{_mandir}/man1/* %changelog +* Fri Dec 08 2023 xinghe - 2.6.6-9 +- Type:bugfix +- CVE:NA +- SUG:restart +- DESC:backport to fix potential coredump: + errors: handle malloc failure in usermsgs_put + ssl_sock: add check for ha_meth + thread: add a check for pthread_creat + * Wed Dec 06 2023 yaoxin - 2.6.6-8 - Fix CVE-2023-45539